Analysis

  • max time kernel
    70s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19-08-2024 04:30

General

  • Target

    Locky.exe

  • Size

    180KB

  • MD5

    b06d9dd17c69ed2ae75d9e40b2631b42

  • SHA1

    b606aaa402bfe4a15ef80165e964d384f25564e4

  • SHA256

    bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

  • SHA512

    8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

  • SSDEEP

    3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Locky.exe
    "C:\Users\Admin\AppData\Local\Temp\Locky.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2464
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SendUpdate.vdw
    1⤵
    • Modifies registry class
    PID:2732

Network

  • flag-us
    DNS
    abxmocu.nl
    Locky.exe
    Remote address:
    8.8.8.8:53
    Request
    abxmocu.nl
    IN A
    Response
  • flag-us
    DNS
    nnhyamwgyq.pm
    Locky.exe
    Remote address:
    8.8.8.8:53
    Request
    nnhyamwgyq.pm
    IN A
    Response
  • flag-us
    DNS
    fdaddgfjc.tf
    Locky.exe
    Remote address:
    8.8.8.8:53
    Request
    fdaddgfjc.tf
    IN A
    Response
  • flag-us
    DNS
    hglmgixwfdcmj.us
    Locky.exe
    Remote address:
    8.8.8.8:53
    Request
    hglmgixwfdcmj.us
    IN A
    Response
  • flag-us
    DNS
    uviya.us
    Locky.exe
    Remote address:
    8.8.8.8:53
    Request
    uviya.us
    IN A
    Response
  • flag-us
    DNS
    mlbauxfqtmwxxgn.yt
    Locky.exe
    Remote address:
    8.8.8.8:53
    Request
    mlbauxfqtmwxxgn.yt
    IN A
    Response
  • 86.104.134.144:80
    Locky.exe
    152 B
    3
  • 8.8.8.8:53
    abxmocu.nl
    dns
    Locky.exe
    56 B
    127 B
    1
    1

    DNS Request

    abxmocu.nl

  • 8.8.8.8:53
    nnhyamwgyq.pm
    dns
    Locky.exe
    59 B
    119 B
    1
    1

    DNS Request

    nnhyamwgyq.pm

  • 8.8.8.8:53
    fdaddgfjc.tf
    dns
    Locky.exe
    58 B
    118 B
    1
    1

    DNS Request

    fdaddgfjc.tf

  • 8.8.8.8:53
    hglmgixwfdcmj.us
    dns
    Locky.exe
    62 B
    125 B
    1
    1

    DNS Request

    hglmgixwfdcmj.us

  • 8.8.8.8:53
    uviya.us
    dns
    Locky.exe
    54 B
    117 B
    1
    1

    DNS Request

    uviya.us

  • 8.8.8.8:53
    mlbauxfqtmwxxgn.yt
    dns
    Locky.exe
    64 B
    124 B
    1
    1

    DNS Request

    mlbauxfqtmwxxgn.yt

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2464-0-0x0000000000220000-0x0000000000224000-memory.dmp

    Filesize

    16KB

  • memory/2464-1-0x0000000000220000-0x0000000000224000-memory.dmp

    Filesize

    16KB

  • memory/2464-2-0x0000000000400000-0x00000000007D1000-memory.dmp

    Filesize

    3.8MB

  • memory/2464-4-0x0000000000400000-0x00000000007D1000-memory.dmp

    Filesize

    3.8MB

  • memory/2464-6-0x0000000000400000-0x00000000007D1000-memory.dmp

    Filesize

    3.8MB

  • memory/2464-8-0x0000000000400000-0x00000000007D1000-memory.dmp

    Filesize

    3.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.